guten Tag everyone, today i am posting the video showing how to configure Dynamic Virtual Tunnel Interface (DVTI) on Cisco IOS router. DVTI for remote access has been available for a long time already and actually comes to gradually replace the old way of dynamic crypto maps, but as always people are hard to get out of the rut so mainly this great feature goes unnoticed.
In this specific setup I am using DVTI for hairpinning – i.e. I will connect using CIsco VPN client to the router and will tunnel ALL of my traffic through this connection, no split tunnel.
The main benefit of DVTI here is that using DVTI interface I can assign it ip nat inside and router will take care of NAT translating my traffic when sending it clear text to the Internet.
Enjoy
As always you can watch all my videos on Vimeo – vimeo.com/yurisk.info, also you can download there videos as files.
Reference on Cisco: DVTI on CIsco.com
yurisk.info
Yuri Slobodyanyuk's blog on IT Security and Networking sharing experience and expertise
Category: Cisco (page 2 of 6)
You never know where your router may end up . It may be RMA’ed without proper wiping the configuration first, it may be plain simple stolen. In any of these or other unfortunate cases the last thing you would want is for the attacker get passwords or other security information stored on the router.
One piece of such information is preshared key(s) , that by default are stored in clear text.
To address this potential threat Cisco, starting IOS 12.3, provide AES encryption feature on IOS routers to encrypt the stored preshared keys. In video below I recorded you can see the walkthrough to enable and manage this security feature.
Enjoy. As always suggestions, critics, comments are welcome .
NB – Narration is in English.
Good evening everyone,
Today a colleague of mine asked if I had a ready-to-use template to schedule a reload of Cisco IOS router .
– “Of course, piece of cake, there should be millions of hits on it in Google” , was my thought. So, after 30 minutes of searching the mighty G and being surprised to have found nothing I dragged from my notes this recipe dated 2007 but still valid as ever.
Enjoy.
NB Word of warning to those trying to do it with built in KRON service of IOS – rebooting a router requires to answer “yes” at the CLI prompt and therefore will NOT work with KRON, only EEM can do it.
IOS used and tested – IOS 12.4T
Edge(config)#event manager applet ReloadMe
Edge(config-applet)#event timer cron name ReloadMe cron-entry “05 09 * * *”
Edge(config-applet)#action 33 reload
wr mem
This will reload router every day at 09:05, for other formats see man page for cron in Linux
….
event manager applet ReloadMe
event timer cron name ReloadMe cron-entry “05 09 * * *”
action 33 reload
As I said already ( here and here ) for gathering Netflow data, especially with security in mind, I deem Nfsen/nfdump to be the best. And with some easy 2-minutes tweaking I can always make it do exactly what I want.
By default when you configure Cisco to export both ingress and egress Netflow data from the interface Nfdump/Nfsen will accept and process it fine BUT … will show it on the same timeline with the same color and so overlapping over each other. That means you will see only the largest values. To fix it you create additional (from Live) profile with separate Channels, each representing direction of the traffic – inbound or outbound. Then for each channel you set appropriate filter – IN for incoming traffic , OUT for outgoing traffic (all respective to the interface being monitored), followed by SNMP ifIndex of the interface in the router. Picture is worth 1024 words they say , so see below screenshots how I did it for one of my clients.
Nfsen custom profile with channels
Nfsen custom profile with channels
[showmyads]
Not much of a post but link to the Cisco site stating how much Netflow loads the Cisco routers:
I, personally, do a lot of Netflow monitoring and can say that on unloaded routers , passing 2-5 mbits/sec of traffic, the additional load will be some 1-2% of CPU cycles. For the most loaded pair of routers I do monitoring for , two Cisco 2800 passing about 70 Mbits/sec of traffic and creating about 900 Mbytes of Netflow data a day each, enabling Netflow added 8% of CPU load and they cope with it perfectly well.
Not limited to CCIE Security Lab only, of course, here is the list of books I find really useful in preparing for the Lab .
Amazon Listmania list
While the reason for me getting involved with this ASA 5510 module is of less interest (client was getting notification message ” LogServer has recently stopped on InterScan for CSC SSM” , more about that at the end of the post) , the module itself looks cute , so I bring here some output to give you a taste what it is.
– General status of the module from ASA CLI prompt.
See that some traffic actually gets redirected to the module.
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class global-class
csc fail-open
Class-map: global-class
CSC: packet sent 324010194
CSC: packet received 359600712
Getting details from the Service Module, please wait…
ASA 5500 Series Content Security Services Module-10
Model: ASA-SSM-CSC-10-K9
Hardware version: 1.0
Serial Number: JAF777777
Firmware version: 1.0(11)5
Software version: CSC SSM 6.3.1172.4
MAC Address Range: c333.7333.b333 to c333.7333.b333
App. name: CSC SSM
App. Status: Up
App. Status Desc: CSC SSM scan services are available
App. version: 6.3.1172.4
Data plane Status: Up
Status: Up
HTTP Service: Up
Mail Service: Up
FTP Service: Up
Activated: Yes
Mgmt IP addr: 192.168.21.119
Mgmt web port: 8443
Mod Card Type Model Serial No.
— ——————————————– —————— ———–
0 ASA 5510 Adaptive Security Appliance ASA5510 JMX333333
1 ASA 5500 Series Content Security Services Mo ASA-SSM-CSC-10-K9 JAF333333
Mod MAC Address Range Hw Version Fw Version Sw Version
— ——————————— ———— ———— —————
0 3333.3333.3333 to 3333.3333.3333 2.0 1.0(11)5 8.2(3)
1 3333.3333.3333 to 3333.3333.3333 1.0 1.0(11)5 CSC SSM 6.3.1172.4
Mod SSM Application Name Status SSM Application Version
— —————————— —————- ————————–
1 CSC SSM Up 6.3.1172.4
Mod Status Data Plane Status Compatibility
— —————— ——————— ————-
0 Up Sys Not Applicable
1 Up Up
– Now let’s enter the module itself
Opening command session with slot 1.
Connected to slot 1. Escape character sequence is ‘CTRL-^X’.
login: cisco
Password:
***NOTICE***
This product contains cryptographic features and is subject to United States
and local country laws governing import, export, transfer and use. Delivery
of Cisco cryptographic products does not imply third-party authority to import,
export, distribute or use encryption. Importers, exporters, distributors and
users are responsible for compliance with U.S. and local country laws. By using
this product you agree to comply with applicable laws and regulations. If you
are unable to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Trend Micro InterScan for Cisco CSC SSM Setup Main Menu
———————————————————————
1. Network Settings
2. Date/Time Settings
3. Product Information
4. Service Status
5. Password Management
6. Restore Factory Default Settings
7. Troubleshooting Tools
8. Reset Management Port Access Control List
9. Ping
10. Exit …
Enter a number from [1-10]:
– Are all services are actually running ?
Enter a number from [1-10]: 4
Service Status
———————————————————————
The CSC SSM RegServer service is running
The CSC SSM URLFD service is running
The CSC SSM ScanServer service is running
The CSC SSM HTTP service is running
The CSC SSM FTP service is running
The CSC SSM Notification service is running
The CSC SSM Mail service is running
The CSC SSM GUI service is running
The CSC SSM SysMonitor service is running
The CSC SSM Failoverd service is running
The CSC SSM LogServer service is running
The CSC SSM SyslogAdaptor service is running
The CSC SSM Syslog-ng service is running
The CSC SSM TMCM-Agent service is not enabled
– Troubleshooting information is rather overwhelming
Enter a number from [1-7]: 2
Troubleshooting Tools – Show System Information
———————————————————————
1. Show System Information on Screen
2. Upload System Information
3. Return to Troubleshooting Tools Menu
Enter a number [1-3]: 1
++++++++++++++++++++++
Thu Feb 17 08:04:17 IST 2011 (2)
System is : Up
#@ Product Information
Trend Micro InterScan for Cisco CSC SSM
Version: 6.3.1172.4
Upgrade History: 6.3.1172.4
Engineering Build:
SSM Model: SSM-10
SSM S/N: JAF7777777
#@ Scan Engine and Pattern Information
Virus Scan Engine: 9.2.1012 (Updated: 2010-10-14 07:51:11)
Virus Pattern: 7.841.00 (Updated: 2011-02-17 05:51:23)
Spyware/Grayware Pattern: 1.151.00 (Updated: 2011-02-17 06:51:20)
AntiSpam Engine: 6.5.1024 (Updated: 2010-10-14 07:51:54)
AntiSpam Rule: 17960 (Updated: 2011-02-16 16:53:55)
IntelliTrap Pattern: 0.151.00 (Updated: 2011-02-01 09:07:20)
IntelliTrap Exception Pattern: 0.631.00 (Updated: 2011-02-15 08:51:15)
#@ License Information
Product:Base License
License profile host info check OK.
Version:Standard
Activation Code:PX-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Seats:000100
Status:Activated
Expiration date:10/6/2011
Product:Plus License
License profile host info check OK.
Version:Standard
Activation Code:PX-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Status:Activated
Expiration date:10/6/2011
Daily Node Count: 221
Current Node Count: 85
#@ Kernel Information
Linux ssm 2.6.17.8 #13 PREEMPT Fri Nov 6 06:32:00 PST 2009 i686 unknown
ASDP Driver 1.1(0) is UP:
Total Connection Records: 159623
Connection Records in Use: 156
Free Connection Records: 159467
—— Shared Memory Segments ——–
key shmid owner perms bytes nattch status
0x00003186 4653056 root 666 2621440 1
0x00000000 4456449 root 600 16 2 dest
0x00000000 4620290 root 600 1000000 1 dest
0x00000000 4685827 root 600 1048576 1 dest
0x00000000 4718596 root 600 1048576 1 dest
0x00000000 4325381 isvw 600 24632 22 dest